Skip to content

JS: recognize more express URL related sources #12518

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erik-krogh merged 2 commits into from
Mar 20, 2023
Merged

JS: recognize more express URL related sources #12518

erik-krogh merged 2 commits into from
Mar 20, 2023

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Mar 14, 2023
edited
Loading

CVE-2022-2237: Recognize the source

I'm hoping the code is self-explanatory.

Evaluation was unevenful.

@github-actions github-actions bot added the JS label Mar 14, 2023
@erik-krogh erik-krogh force-pushed the more-express-sources branch from 0a89291 to a72436f Compare March 15, 2023 09:14
@erik-krogh erik-krogh marked this pull request as ready for review March 16, 2023 07:12
@erik-krogh erik-krogh requested a review from a team as a code owner March 16, 2023 07:12
asgerf
asgerf reviewed Mar 16, 2023
View reviewed changes
javascript/ql/lib/semmle/javascript/frameworks/Express.qll Outdated
(
if exists(queryRef(request).getAPropertyRead())
then this = queryRef(request).getAPropertyRead()
else this = queryRef(request)
Copy link
Contributor

@asgerf asgerf Mar 16, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
else this = queryRef(request)
else this = request.ref().getAPropertyRead("query")

and similar for params (feel free to refactor to eliminate the duplication with queryRef).

Treating the result of the type-tracking predicate as a source can lead to redundant sources:

foo(req.query); // <-- 'req.query' is the correct source
function foo(query) {} // <-- 'query' becomes a redundant source

@erik-krogh erik-krogh added the no-change-note-required This PR does not need a change note label Mar 16, 2023
@erik-krogh
Copy link
Contributor Author

erik-krogh commented Mar 20, 2023

Final confirmation evaluations looks good.

@erik-krogh erik-krogh merged commit 540542c into github:main Mar 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asgerf asgerf asgerf approved these changes

Assignees

No one assigned

Labels

JS no-change-note-required This PR does not need a change note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erik-krogh @asgerf